A compromised AccessKey pair can lead to unauthorized resource access, unexpected charges, and data breaches. Take immediate action when you suspect that an AccessKey pair for your Alibaba Cloud account or a RAM user has been compromised.
How Alibaba Cloud responds automatically
Alibaba Cloud continuously monitors for publicly exposed AccessKey pairs. When a compromised AccessKey pair is detected, Alibaba Cloud takes two actions:
Notifies you through the contact information associated with your account, including SMS, email, and console messages.
Applies a restrictive protection policy to the compromised AccessKey pair, blocking high-risk API operations until you take action.
For details about which operations are blocked, see Apply a restrictive protection policy to an AccessKey pair.
If you receive a compromised AccessKey pair notification through SMS, email, or console messages, take immediate action. You are responsible for auditing your account for any unauthorized activity.
Under the shared responsibility model, you are responsible for securing your credentials. Alibaba Cloud provides automated detection for publicly exposed AccessKey pairs, but you must manage and protect all of your AccessKey pairs.
Respond to a compromised Alibaba Cloud account AccessKey pair
Take one of the following actions on the AccessKey page:
AccessKey pair is not in use: Disable and delete it.
AccessKey pair is in use: Rotate it. Create a new AccessKey pair, update your applications to use the new pair, and then disable and delete the compromised one.
Respond to a compromised RAM user AccessKey pair
Choose the response that matches your situation:
AccessKey pair is not in use: Immediately disable and delete it.
AccessKey pair is in use and can be rotated immediately: Create a new AccessKey pair, update your applications, test the change, and then disable and delete the compromised pair. For more information, see Rotate an AccessKey pair.
AccessKey pair is in use and cannot be rotated immediately: Complete the following four steps to contain the risk while you prepare for rotation.
Step 1: Restrict permissions
Immediately attach a custom policy to the RAM user that explicitly denies high-risk operations. This limits the potential damage from the compromised AccessKey pair by preventing actions such as deleting resources or creating backdoor accounts.
Also review the RAM user's existing permissions and remove any that are not essential for ongoing business operations.
The following sample policy denies high-risk operations across multiple services. Evaluate and customize this policy based on your security requirements before applying it.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ram:AddUserToGroup",
"ram:AttachPolicyToGroup",
"ram:AttachPolicyToRole",
"ram:AttachPolicyToUser",
"ram:ChangePassword",
"ram:CreateAccessKey",
"ram:CreateLoginProfile",
"ram:CreatePolicyVersion",
"ram:CreateRole",
"ram:CreateUser",
"ram:DetachPolicyFromUser",
"ram:PassRole",
"ram:SetDefaultPolicyVersion",
"ram:UpdateAccessKey",
"ram:SetPasswordPolicy",
"ram:UpdateRole",
"ram:UpdateLoginProfile",
"ram:UpdateUser"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"ecs:DeleteInstance",
"ecs:DeleteInstances",
"ecs:DeregisterManagedInstance",
"ecs:ReleaseDedicatedHost"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"rds:DeleteAccount",
"rds:DeleteDatabase",
"rds:DeleteDBInstance",
"rds:DestroyDBInstance"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"oss:DeleteBucket",
"oss:DeleteObject",
"oss:PutBucketAcl",
"oss:PutBucketPolicy"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"log:DeleteLogStore",
"log:DeleteProject",
"log:PutProjectPolicy",
"log:DeleteProjectPolicy"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"dysms:CreateProductNew",
"dysms:CreateSmsTemplateNew",
"dysms:AddSmsTemplate",
"dysms:SendSms",
"dysms:SendBatchSms"
],
"Resource": "*"
}
]
}For instructions on creating and attaching this policy, see Create a custom policy and Grant permissions to a RAM user.
Step 2: Enable MFA
If the RAM user has console logon permission, enforce multi-factor authentication (MFA) to prevent unauthorized console access:
Step 3: Audit operations
Audit all activity performed with the compromised AccessKey pair to identify unauthorized actions. Look for unusual patterns such as resource creation or deletion in unexpected regions, or API calls from unknown IP addresses.
Method 1: RAM console (quick review)
Log on to the RAM console.
In the left-side navigation pane, choose .
Click the username of the target RAM user.
On the user details page, click the Authentication tab.
In the AccessKey section, review the operation history and last used information for the AccessKey pair.
Method 2: ActionTrail (comprehensive audit)
Log on to the ActionTrail console.
In the left-side navigation pane, click AccessKey Pair Audit.
Filter the event history by the compromised AccessKey ID to review all associated API calls and user activities.
ActionTrail does not log data events for some services, such as object-level access in OSS. Enable and check service-specific logs for these events.
Check for lateral movement
An attacker might have used the compromised AccessKey pair to create backdoor accounts or additional AccessKey pairs. During your audit, look for suspicious activity from other RAM users or AccessKey pairs:
For any legitimate user with suspicious activity, immediately reset their password and enforce MFA.
Delete any RAM users that were created without authorization.
If you find other compromised AccessKey pairs, follow this same procedure to restrict their permissions and rotate them.
Step 4: Check for abnormal charges
Review your billing details in the Expenses and Costs console for any unexpected charges. Unauthorized resource usage—such as cryptocurrency mining—can cause a significant increase in costs. If you find unauthorized resources, document them for your investigation and then delete them.
Best practices for prevention
To reduce the risk of future AccessKey pair compromises, see Best practices for using an access credential to call API operations.